Is Zoom HIPAA Compliant? A Beginner’s Guide

Zoom can support HIPAA compliance when you use the right plan, sign a Business Associate Agreement, and configure security controls correctly. This guide explains what “HIPAA-compliant Zoom” means, how to enable PHI Encryption and Access Controls, and how the HIPAA Privacy Rule and HIPAA Security Rule shape your responsibilities.

Zoom for Healthcare Features

Zoom for Healthcare is designed to help covered entities and business associates handle Protected Health Information during virtual care. The plan includes technical safeguards aligned with the HIPAA Security Rule and administrative tools for governance.

• Encryption for PHI in transit and at rest, with options that do not sacrifice clinical workflows.
• Role-based Access Controls, SSO/MFA support, and device management to restrict who can schedule, host, record, and access meetings.
• Audit Controls such as detailed meeting, recording, and admin activity logs to support investigations and compliance reporting.
• Telehealth-friendly features: waiting rooms for patient intake, lobby messaging, and host controls that limit participant actions.
• Data governance options, including retention settings for recordings and chat, and tools to disable nonessential features that may expose PHI.

Business Associate Agreement Requirements

A Business Associate Agreement is mandatory before Zoom processes PHI on your behalf. The BAA defines permitted uses and disclosures, required safeguards, breach notification timelines, subcontractor obligations, and data return or destruction at termination.

To meet HIPAA obligations, you should ensure your account is provisioned under a BAA and that users operate only within covered services. Maintain a list of in-scope features, document the configuration baselines the BAA assumes, and train staff to avoid noncovered workflows.

Confirm how recordings, transcripts, whiteboards, and third-party add-ons are treated under the BAA. If a feature is out of scope, either disable it or implement compensating controls that prevent PHI exposure.

Configuring Zoom for HIPAA Compliance

Account and Identity

• Use Zoom for Healthcare under a signed BAA; do not mix covered and noncovered accounts.
• Enforce SSO with MFA and strong password policies. Assign least-privilege roles and use group-based Access Controls.

Meeting Security Defaults

• Require waiting rooms and passcodes; restrict “Join before host”; lock meetings after all expected participants arrive.
• Limit screen sharing to the host by default and enable participant share only when clinically necessary.
• Disable file transfer and annotation unless required for care, and monitor chat auto-save settings that could store PHI.

Recordings and Transcripts

• Record only when necessary and with patient consent. Prefer cloud recording covered by your BAA with PHI Encryption at rest.
• Disable local recordings on unmanaged endpoints. Apply retention limits and access reviews for recordings and transcripts.
• If transcription is used, ensure the service is in scope of the BAA and governed by Audit Controls.

Apps, Integrations, and AI Features

• Disable marketplace apps, live streaming, and AI features that are not explicitly covered under the BAA.
• Document approved integrations, validate data flows, and gate any new connector through security review.

Logging and Monitoring

• Enable admin logs and export to your SIEM to satisfy Audit Controls. Review access to recordings and reports regularly.
• Run periodic configuration audits and attestations to validate continued alignment with the HIPAA Security Rule.

Protecting Protected Health Information

The HIPAA Privacy Rule requires using and disclosing only the minimum necessary PHI. Design workflows so that clinical teams share just what is needed and avoid placing PHI in chat, file shares, or screen shares unless essential.

Verify participant identity before discussing PHI, and confirm who is physically present with the patient. Use neutral meeting titles, sanitize on-screen notifications, and pause screen share when accessing unrelated systems.

Store PHI in your EHR or approved repository, not in personal devices or ad hoc folders. Apply PHI Encryption for data at rest, enforce endpoint protections, and document consent for recording or photography when applicable.

Limitations of Standard Zoom

Standard or free Zoom accounts are not covered by a BAA and must not be used to handle PHI. Without a BAA, Zoom is not acting as your Business Associate, and HIPAA requirements for safeguards and breach notification are not contractually in place.

Even under Zoom for Healthcare, some features or third-party apps may be out of scope. Public live streaming, certain app integrations, or consumer-focused add-ons can route data outside covered services. Disable or strictly control these features to avoid compliance gaps.

End-to-end encryption can enhance confidentiality but may disable functions needed for care or support. Choose encryption options that balance security with required capabilities while maintaining HIPAA-aligned safeguards.

User Compliance Responsibilities

Technology alone does not guarantee compliance. Covered entities and business associates remain responsible for administrative, physical, and technical safeguards under the HIPAA Security Rule.

• Conduct an enterprise risk analysis for telehealth and maintain risk management plans.
• Adopt policies for scheduling, identity verification, recording consent, and PHI retention.
• Train workforce members on minimum necessary use, secure screen sharing, and incident reporting.
• Harden and manage endpoints, including patching, disk encryption, and remote wipe.
• Monitor Audit Controls, review access to PHI, and document investigations and corrective actions.
• Maintain BAAs with all service providers that may access PHI, not just Zoom.

Evaluating HIPAA Compliance Risks

Begin by mapping how PHI enters, traverses, and exits Zoom sessions. Identify assets (users, devices, recordings), threats (unauthorized access, misdelivery, loss), and vulnerabilities (weak authentication, misconfigurations, unmanaged apps).

Assess likelihood and impact, then select safeguards aligned with the HIPAA Security Rule: stronger Access Controls, PHI Encryption, monitoring, and workforce training. Validate that Audit Controls capture scheduling, meeting access, and recording retrieval events.

Define metrics: percentage of meetings using required security defaults, time-to-revoke access for role changes, and cadence of log reviews. Test incident response with tabletop exercises focused on misdirected invites, lost devices, or recording exposure.

Conclusion

Zoom can be part of a HIPAA-compliant telehealth program when you use Zoom for Healthcare under a signed BAA, configure security carefully, and operate within the HIPAA Privacy Rule and HIPAA Security Rule. Pair platform safeguards with strong policies, training, and continuous monitoring to keep PHI protected.

FAQs

What is a Business Associate Agreement in Zoom?

A Business Associate Agreement is the contract that allows Zoom to handle PHI as your Business Associate. It defines permitted uses and disclosures, required safeguards, breach notification duties, subcontractor management, and how PHI is returned or destroyed when the relationship ends.

How does Zoom protect PHI?

Zoom for Healthcare supports PHI Encryption in transit and at rest, role-based Access Controls, SSO/MFA, and granular admin policies. Audit Controls record key events—such as meeting access and recording retrieval—so you can monitor activity and investigate issues.

Is the free version of Zoom HIPAA compliant?

No. The free version and standard accounts without a BAA are not appropriate for PHI. To align with HIPAA, you need Zoom for Healthcare, a signed BAA, and configurations that enforce required safeguards.

What steps are needed to ensure HIPAA compliance using Zoom?

Obtain Zoom for Healthcare under a BAA, enforce strong authentication and least-privilege roles, harden meeting defaults (waiting rooms, passcodes, limited sharing), govern recordings and transcripts, disable noncovered apps and features, enable logging and reviews, train your workforce, and document policies under the HIPAA Privacy Rule and HIPAA Security Rule.